Export Compliance Daily is a Warren News publication.
Cantwell ‘Happy’ to Join

Blumenthal Welcomes Cantwell, Thune to Privacy Group Amid IoT Device ‘Crisis’

The voluntary approach to privacy, including IoT devices, has failed, and it’s time for government intervention to address this “crisis,” Sen. Richard Blumenthal, D-Conn., said Tuesday, citing progress on legislation. During a Senate Security Subcommittee hearing, industry officials urged legislators to pass comprehensive privacy legislation. A National Institute of Standards and Technology official noted his agency is developing a federal baseline for core cyber capabilities of IoT devices.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Blumenthal told us he welcomes participation from the newest members of the Senate Commerce Committee’s privacy working group (see 1904290147), ranking member Maria Cantwell, D-Wash., and Sen. John Thune, R-S.D. Asked about her role, Cantwell said Chairman Roger Wicker, R-Miss., “called and said he’d like to brief us on some things they’re interested in, so happy to hear what they are.”

Federal data privacy legislation will address some security issues associated with IoT, Rapid7 Public Policy Director Harley Geiger testified. Information Technology Laboratory Director Charles Romine said NIST is working as quickly and efficiently as possible to deliver a federal standard for IoT standards. The U.S. Chamber of Commerce sees it as a top priority to “achieve consensus on the technical criteria that support the IoT cyber baseline,” said President-Cybersecurity Policy Matthew Eggers. The baseline effort is the fastest, most efficient way to secure the internet, said CTA Vice President-Technology and Standards Michael Bergman.

Officials and experts have described the U.S. as the world’s cyber “punching bag,” said subcommittee Chairman Dan Sullivan, R-Alaska. He cited lack of retaliation against attackers in China, Russia, North Korea and other enemy states. Nobody wants the U.S. to be viewed as a punching bag, USTelecom Senior Vice President-Cybersecurity Robert Mayer told Sullivan, urging government collaboration because industry is often collateral damage.

Sen. Rick Scott, R-Fla., asked why the U.S. doesn’t just outlaw bad actors in China and elsewhere from doing business with U.S. entities. Everyone is cognizant of problematic companies and organizations, Eggers said, noting industry has discussed what it’s willing to tolerate. 5G buildout has gained much discussion in this regard, he said. Attempting to blacklist companies might not be the best long-term strategy, Eggers said. Bergman noted that devices sometimes include components from multiple countries, and blacklisting could create supply chain issues.

Ranking member Ed Markey, D-Mass., said cyber risks have grown significantly since the 1990s, urging colleagues support his Cyber Shield Act. The legislation would implement a voluntary program for companies to certify the security of their devices. He asked if the U.S. has reached a “crisis.” Markey told us he plans to reintroduce the bill. There's no firm timeline.

Geiger stopped short of calling it a crisis, saying, “It’s very serious.” Geiger said Rapid7 is supportive of Markey’s Cyber Shield concept: Certifying devices through a standard can make a “difference.” But it’s not the only solution, he said.

Blumenthal listed suggested requirements for IoT devices: prohibition of default passwords to access devices, required two-factor authentication and regular security patch updates.